2.17 Set Sticky Bit on All World-Writable Directories

Information

Setting the sticky bit on world writable directories prevents users from deleting or
renaming files in that directory that are not owned by them.

*Rationale*

This feature prevents the ability to delete or rename files in world writable directories
(such as /tmp) that are owned by another user.

Solution

# df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type d
-perm -0002 2>/dev/null | xargs chmod a+t

See Also

https://workbench.cisecurity.org/files/91

Item Details

Category: ACCESS CONTROL

References: 800-53|AC-6

Plugin: Unix

Control ID: 02a46b588748a2c0588d3cd82886f85149963dc7aa8a9d589b0dce4b888f4aae